一键在 Manus 中运行任何 Skill

开始使用

skill-security-reviewer

星标1

分支0

更新时间2026年6月3日 11:53

OWASP-based security review skill for sensitive AI Agent skills (auth/payment/upload)

安装

用 Codex 或 Claude 帮你安装复制这段 Prompt，粘贴到 Codex、Claude 或其他助手里，让它检查 Skill 页面并帮你完成安装。

在 Manus 中运行

来源

vuthuonghai-steve

vuthuonghai-steve/deep_work_by_steve

打开 GitHub 仓库查看创作者相关仓库

下载

在 Manus 中运行

Skill Security Reviewer

Security Review Workflow

Skill Creation → [Auth/Payment/Upload?] → YES → Security Review
                                          → NO → Skip to Gatekeeper

OWASP Checklist (5 Critical Categories)

SEC-01: Broken Access Control

check:
  - "Auth checks present on all protected endpoints"
  - "Role/permission validation exists"
  - "No direct object references without ownership check"

SEC-02: Cryptographic Failures

check:
  - "No hardcoded secrets (API keys, passwords, tokens)"
  - "Environment variables for sensitive data"
  - "No credentials in logs or error messages"

SEC-03: Injection

check:
  - "No string concatenation in shell commands"
  - "Parameterized queries used"
  - "Input validation on all user inputs"

SEC-04: Insecure Design

check:
  - "Skill không tạo security holes trong output"
  - "Sandbox execution specified cho scripts"
  - "Rate limiting documented nếu applicable"

SEC-05: Security Misconfiguration

check:
  - "Docker sandboxing specified cho executable scripts"
  - "No default credentials generated"
  - "Error messages không leak sensitive info"

Output Format

=== SECURITY REVIEW REPORT ===
Skill: {skill-name}
Timestamp: {date}
Trigger: {auth|payment|upload|manual}

Verdict: APPROVED / REQUEST CHANGES / REJECTED

Findings:
- [CRITICAL] {description}
- [HIGH] {description}
- [MEDIUM] {description}
- [LOW] {description}

Action: {instruction for builder}

Invocation

triggers:
  auto:
    - skill has authentication feature
    - skill handles payment/data
    - skill accepts file uploads
  manual:
    - user explicitly requests security review

Limitation

This is a guidance/checklist skill, not a penetration testing tool
For production security, always conduct manual review
Security findings are recommendations, not guarantees

Limitation: Security review is advisory. Final security responsibility lies with developer.

同仓库更多 Skills

同仓库

ba-analyst

vuthuonghai-steve/deep_work_by_steve

BA Analyst.

2026-06-071

ba-elicitor

vuthuonghai-steve/deep_work_by_steve

Micro-skill khơi gợi, chuẩn hóa yêu cầu nghiệp vụ thô và lượng hóa NFR.

2026-06-071

ba-synthesizer

vuthuonghai-steve/deep_work_by_steve

Hợp nhất và kiểm định chéo báo cáo BA.

2026-06-071

skill-sync

vuthuonghai-steve/deep_work_by_steve

Sync skills tu source (skills/rebuild/) den cac vi tri: workspace-level (.hermes/skills, .claude/skills) va user-level (~/.hermes/skills, ~/.claude/skills). Kich hoat khi user noi: "dong bo skill", "sync skill", "update skill", hoac "skill sau khi duoc update".

2026-06-071

production-code-reviewer

vuthuonghai-steve/deep_work_by_steve

Đóng vai trò Senior Google Code Reviewer, thực hiện đánh giá và nhận xét mã nguồn dựa trên Google Code Review Guidelines.

2026-06-021

production-quality-gatekeeper

vuthuonghai-steve/deep_work_by_steve

Tự động thiết lập và thực thi vòng lặp tự phản biện và hoàn thiện (self-refining loop) cho AI Agent đạt chuẩn Production-grade.

2026-06-021

name	skill-security-reviewer
description	OWASP-based security review skill for sensitive AI Agent skills (auth/payment/upload)
version	1.0.0
tags	["security","OWASP","review","gatekeeper"]
when_to_use	Khi skill có auth/payment/upload features — tự động invoke trước Gatekeeper approval. Không dùng cho documentation-only hoặc guidance skills.

Skill Security Reviewer

Security Review Workflow

Skill Creation → [Auth/Payment/Upload?] → YES → Security Review
                                          → NO → Skip to Gatekeeper

OWASP Checklist (5 Critical Categories)

SEC-01: Broken Access Control

check:
  - "Auth checks present on all protected endpoints"
  - "Role/permission validation exists"
  - "No direct object references without ownership check"

SEC-02: Cryptographic Failures

check:
  - "No hardcoded secrets (API keys, passwords, tokens)"
  - "Environment variables for sensitive data"
  - "No credentials in logs or error messages"

SEC-03: Injection

check:
  - "No string concatenation in shell commands"
  - "Parameterized queries used"
  - "Input validation on all user inputs"

SEC-04: Insecure Design

check:
  - "Skill không tạo security holes trong output"
  - "Sandbox execution specified cho scripts"
  - "Rate limiting documented nếu applicable"

SEC-05: Security Misconfiguration

check:
  - "Docker sandboxing specified cho executable scripts"
  - "No default credentials generated"
  - "Error messages không leak sensitive info"

Output Format

=== SECURITY REVIEW REPORT ===
Skill: {skill-name}
Timestamp: {date}
Trigger: {auth|payment|upload|manual}

Verdict: APPROVED / REQUEST CHANGES / REJECTED

Findings:
- [CRITICAL] {description}
- [HIGH] {description}
- [MEDIUM] {description}
- [LOW] {description}

Action: {instruction for builder}

Invocation

triggers:
  auto:
    - skill has authentication feature
    - skill handles payment/data
    - skill accepts file uploads
  manual:
    - user explicitly requests security review

Limitation

This is a guidance/checklist skill, not a penetration testing tool
For production security, always conduct manual review
Security findings are recommendations, not guarantees

Limitation: Security review is advisory. Final security responsibility lies with developer.